Malicious Web Page Detection Based on Anomaly Behavior

Size: px

Start display at page:

Download "Malicious Web Page Detection Based on Anomaly Behavior"

Theodora Watkins
5 years ago
Views:

1 Malicious Web Page Detection Based on Anomaly Behavior Chia-Mei Chen Department of Information Management, National Sun Yat-Sen University, Taiwan 2009/7/28 1

2 Outline 1 Introductions 2 The Proposed Approach 3 4 System Implementation and Experiment Conclusions 2009/7/28 2

3 Background Introductions With the rapid development of the computer networks, people nowadays are dependent on the Internet increasingly. Browsing webpage is insecure due to the vulnerabilities of browsers and web applications. 2009/7/28 3

4 Background Introductions The common vulnerability of web applications (Stuttard & Pinto, 2007) 2009/7/28 4

5 Motivation Introductions The evading mechanisms used by hackers somehow make the behavior of malicious web pages different from normal web pages. We find out some special and interesting characters of malicious web pages through three aspects: injection media obfuscation and redirection We present a new malicious web page detection algorithm based on anomaly behavior detection. 2009/7/28 5

6 The Proposed Approach The Proposed Approach The architecture of proposed system, WPC (Web Page Checker) 2009/7/28 6

7 Web Page URL Extraction Module The Proposed Approach Web page URL extraction module: Tracing and recording suspicious HTTP request URLs. Providing a connection topology about the target web page. Web page crawler module: crawling back resources requested by invisible JavaScript or iframe tags. 2009/7/28 7

8 Behavior Extraction Module The Proposed Approach Behavior Extraction Module: Webpage encoding detection. Sensitive keywords splitting detection. Sensitive keywords encoding detection. Redirection detection. Unreasonable coding styles detection. 2009/7/28 8

9 MoBR Module The Proposed Approach MoBR module: Using templates to address common malicious web page species or family based on semantic and signature. 2009/7/28 9

10 Anomaly Behavior Scoring Module The Proposed Approach Based on our observation, we identify the most important characters of malicious web pages. A formula is used for behavior scoring to detect anomaly behavior of malicious web pages based on expert knowledge. 2009/7/28 10

11 Anomaly Behavior Scoring Module The Proposed Approach WPC (Web Page Checker) alarms the web page with scores above threshold. Behavior Scoring Formula: 2009/7/28 11

12 Predictor Variables Redirection Rate Sensitive Keywords Splitting Rate Sensitive Keywords Encoding Rate Sensitive Keywords Splitting Encoding Rate Depth Unreasonable Coding Styles Rate - using eval() method Unreasonable Coding Styles Rate - using document.writ e() method AlgoExMD Rate Brief Description Redirection Rate is defined as the number of pages which are identified as having redirection behavior. SKSR is defined as the number of pages which are identified as having sensitive keywords splitting behavior. SKER is defined as the number of pages which are identified as having sensitive keywords encoding behavior. SKSER is defined as the number of pages which are identified as not only having sensitive keywords splitting behavior, but also sensitive keywords encoding behavior. In our definition, the depth is defined as the height of a tree. In tree data structure, the height of a node is the length of the longest downward path to a leaf from that node. And the height of the root is the height of the tree. (Tree (data structure).) UCSR-eval is defined as the number of pages which are identified as having unreasonable coding styles using eval() method. UCSR-document.write is defined as the number of pages which are identified as having unreasonable coding styles using document.write() method. AlgoExMD Rate is defined as the number of pages which are identified as malicious web pages by AlgoExMD algorithm in MoBR module. Symbol SKSER UCSR-eval UCSRdocu ment. write AlgoExMD Rate Level 2 Level 2 Level 2 Level 3 Max Encoded Encoded Times is defined as the number of times a web page is encoded. In our MET Level 3 Times observation, malicious web pages may encode themselves recursively. And 2009/7/28 MET is defined as the max number of times a web page is encoded of total tested web pages. 12 RR SKSR SKER Depth Importance Level Level 1 Level 1 Level 1 Level 1

13 System Implementation System Implementation and Experiment design Our implementation of WPC: A plug-in for Internet Explorer 6. Developing a DLL for IE /7/28 13

14 Experiments System Implementation and Experiment design Comprehensive comparison. 2009/7/28 14

15 Conclusions Conclusions and Future Work The contributions of WPC: A new anomaly behavior aspect for malicious web page detection. Client-side solution for detecting malicious web pages. the system implementation and deployment are not difficult. Real-time protection for Internet browsers. 2009/7/28 15

16 2009/7/28 16

Hybrid Obfuscated Javascript Strength Analysis System for Detection of Malicious Websites

Hybrid Obfuscated Javascript Strength Analysis System for Detection of Malicious Websites R. Krishnaveni, C. Chellappan, and R. Dhanalakshmi Department of Computer Science & Engineering, Anna University,